Articles By Topic

By Topic: FTC Enforcement

As geolocation technology advances, so do state, federal and international laws regulating it. The Cybersecurity Law Report spoke with ZwillGen attorneys Melissa Maalouf and Anna Hsia about keeping up with evolving geolocation data regulations in the U.S. and beyond. Smart choices early in the process, coupled with adequate disclosures and consent, will go a long way towards a company becoming and staying compliant, they said. See also “How to Respond to Law Enforcement Demands for Geolocation Data and Data Stored Abroad” (Nov. 30, 2016).

In its Privacy & Data Security Update, released in January 2018, the FTC recapped its 2017 enforcement actions, workshops, advocacy and guidance. “FTC is establishing itself as the top dog in the cybersecurity regulatory arena and I think it is struggling to keep up with the evolving technology innovation in its enforcement actions, not only in terms of the tech innovation but also in terms of the sophistication of the malicious actors that are potentially attempting to breach systems,” Fried Frank partner Una Dean told The Cybersecurity Law Report. The first part of our article series distilled lessons from the FTC’s update, examined enforcement highlights and steps companies can take to comply with applicable laws and steer clear of the FTC’s reach. Part two explored what can be learned from the FTC’s 2017 workshops and guidance and shed light on what to expect from the agency in 2018. See also “The Devil Is in the Details: LabMD Imposes Limitations on the FTC’s Enforcement Authority” (Jun. 13, 2018).

In a closely watched data security case with significant implications for all enforcement actions, the United States Court of Appeals for the Eleventh Circuit struck down an FTC cease-and-desist order as impermissibly vague, providing a setback for FTC enforcement efforts. In this guest article, Buckley Sandler attorneys Elizabeth McGinn, Sasha Leonhardt and A.J. Dhaliwal explain the background of LabMD, Inc. v. FTC and the Eleventh Circuit’s decision, and provide lessons for companies examining their cybersecurity protections and data breach response programs. See “Lessons and Trends From FTC’s 2017 Privacy and Data Security Update: Enforcement Actions (Part One of Two)” (Jan. 31, 2018); Part Two (Feb. 14, 2018).

Mobile devices are “obvious targets for attack,” the FTC stated in a recent report analyzing device security and providing guidance. “Given the increased use, pervasiveness and capabilities of mobile devices, it is not surprising that the FTC focused on evaluating the efficacy of mobile security updates,” Covington partner Yaron Dori and associate Caitlin Meade told The Cybersecurity Law Report. This article highlights and explains the key lessons from the report discussing the difficulties in securing the data transmitted mobile devices and ways to improve security. See our two-part series, “Lessons and Trends From FTC’s 2017 Privacy and Data Security Update: Enforcement Actions (Part One of Two)” (Jan. 31, 2018); Part Two (Feb. 14, 2018).

A pair of recent FTC orders demonstrate that despite aggressive action against businesses deemed to have made false or deceptive disclosures on privacy and cybersecurity matters, the Commission is also open to a more nuanced approach to disclosure and is willing to reconsider existing consent orders when circumstances change. This article analyzes (1) the recent settlement order with PayPal, whose Venmo unit misled users about the privacy of transactions and the availability of their funds and (2) the Order Reopening and Modifying a 2009 Order, which does away with a requirement that Sears make extensive disclosures on its mobile apps about how it tracks certain web browsing. See “Lessons and Trends From FTC’s 2017 Privacy and Data Security Update: Enforcement Actions (Part One of Two)” (Jan. 31, 2018).

The FTC recently recapped its 2017 enforcement actions, workshops and other guidance, and provided information on best privacy and data security measures for companies, big and small. It addressed issues such as IoT devices, payment systems, artificial intelligence and blockchain technologies. In this second article of our two-part series, legal and technical experts distill valuable lessons from the agency’s 2017 workshops and guidance and discuss what to expect from the FTC in 2018. In the first part, we examined 2017 enforcement highlights and steps companies can take to comply with applicable laws and steer clear of the FTC’s reach. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

In its recently released Privacy & Data Security Update, the FTC recapped its 2017 privacy and data security enforcement actions, advocacy, workshops and guidance, providing valuable information about steps companies can take to ensure their privacy and data security measures are up-to-snuff. In this first part of our article series covering lessons from the Update, we examine, with expert insight, enforcement highlights – from financial services actions to general privacy cases – and what these actions tell us about steps companies should take to comply with applicable laws and steer clear of the FTC’s reach. Part two will cover what can be learned from the FTC’s 2017 workshops and guidance and shed light on what to expect from the agency in 2018. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

The FTC’s recent settlement with an online tax preparation service for violations of the Safeguards Rule demonstrates the agency’s willingness to pursue companies that have fallen victim to hackers, according to some practitioners. Everyone, including hackers, knows that customers tend to use the same usernames and passwords for multiple online accounts. It turns out that entities subject to the Privacy and Safeguards Rules of the Gramm-Leach-Bliley Act need to take measures to protect their own customers whose information just might have been accessed inappropriately elsewhere. With input from Debevoise partner Jeremy Feigelson, The Cybersecurity Law Report takes a close look at the TaxSlayer settlement and what it means for financial institutions of all sizes. See also “SEC Officials Flesh Out Cybersecurity Enforcement and Examination Priorities (Part One of Two)” (May 3, 2017); Part Two (May 17, 2017).

The E.U.-U.S. Privacy Shield framework has survived its first annual review. On October 18, 2017, the E.U. Commission released its report and working document on the review (Report), saying the Shield works well but there is room for improvement. Commissioner for Justice, Consumers and Gender Equality Věra Jourová said, “The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the E.U. and U.S. must actively monitor to ensure we keep guard over our high data protection standards.” We analyze the Report’s findings and provide insight on the implications of those findings and pros and cons of self-certification under the framework from AvePoint’s chief compliance and risk officer Dana Simberkoff. She told us that there are “certainly a lot of companies using Privacy Shield and that’s a testament to the fact that it is a viable framework from the perspective of U.S. companies.” See “Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty” (Nov. 2, 2016)

Companies continue to seek more detailed guidance on data-security expectations from regulators such as the FTC. As a follow-up to its 2015 Start With Security Guide, which contained 10 fundamentals, the FTC launched its Stick With Security blog series. It builds on those 10 principles using hypotheticals to take “a deeper dive” into proactive data-protection steps. The first article in our two-part series examined the blog posts analyzing the first five principles of Start With, and this second article continues with the remaining five. The “examples in the posts help companies with line drawing and balancing risk,” Kelley Drye partner Dana Rosenfeld told The Cybersecurity Law Report. See “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017); and “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).

Despite operating with only two of five Commissioners, the FTC has continued its data-privacy-enforcement efforts. It recently struck a major settlement with Lenovo over adware that was pre-installed on laptops and, unbeknownst to consumers, acted as a “man-in-the-middle,” with the ability to capture all of the data users transmitted to e-commerce websites they visited. It also reached settlements with three companies based on allegedly false claims of compliance with the U.S.-E.U. Privacy Shield framework. We explain the facts and circumstances that gave rise to the FTC enforcement actions and the terms of the settlements. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

The FTC and private plaintiffs have sharpened their focus on children’s privacy and COPPA in recent months. Updated COPPA guidance and approval for changes to a valuable safe harbor program for companies have been issued by the FTC. In addition, private plaintiffs are attempting to find ways to bring civil suits based on COPPA concepts despite the lack of a private right of action in the regulation itself. Companies “absolutely need to start thinking very seriously about COPPA compliance and the FTC’s warning. If the FTC starts to make enforcement a priority, it can certainly take a lot of steps to impose hefty sanctions on companies that are found out of compliance,” Eimer Stahl partner Dan Birk told The Cybersecurity Law Report. See also “Enforcing Consumer Consent: FTC Focuses on Location Tracking and Children’s Privacy” (Jul. 6, 2016).

As a follow-up to its 2015 Start With Security business guide, which contained “10 manageable fundamentals applicable to companies of any size,” the FTC has launched its Stick With Security series, which builds on those 10 principles using “a series of hypotheticals to take a deeper dive into steps companies can take to safeguard sensitive data in their possession.” Over two articles, we analyze the ten installments of the series along with expert commentary and lessons from the posts. See “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity” (Jul. 15, 2015).

Uber’s recent FTC settlement, in which it agreed to implement a comprehensive privacy program designed to address privacy risks and protect consumers’ confidential information, highlights the utility of a privacy impact assessment (PIA), which may help other companies stay out of the agency’s crosshairs in the first instance. This article summarizes Uber's settlement of FTC claims that were based on allegations that it failed to properly protect consumers’ personal information, and covers the role of a PIA in designing a comprehensive privacy program, including what the process should entail, who should be involved, cost-benefit considerations and how it helps to fulfill regulatory obligations. See also “Privacy Leaders Share Key Considerations for Incorporating a Privacy Policy in the Corporate Culture” (Oct. 19, 2016).

In a recently announced $2.2 million settlement with television manufacturer VIZIO, the FTC and the state of New Jersey emphasized the importance of providing notice and consent particularly when connected-device users may not expect the types of data collection and sharing taking place. The action demonstrates the coordination of federal and state enforcement agencies, and the settlement terms serve to inform connected-device companies about the agencies' expectations. In terms of data collection and disclosure, “companies should consider what consumers expect of a device, particularly if it was an analog device that has not been smart in the past,” FTC attorney Megan Cox told The Cybersecurity Law Report. See “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017); and “Privacy, Security Risks and Applicable Regulatory Regimes of Smart TVs” (Jan. 11, 2017).

In 2016 alone, more than 35 million records were reported as compromised in more than 980 data breaches, which made consumers wary of trusting companies to handle their data. This leaves companies wondering what they can do to amplify their data security practices to help avoid consumer distrust and the scrutiny of regulators. The FTC expects “reasonable” security, but what does that mean? In this guest article, Kelley Drye & Warren attorneys Alysa Z. Hutnik and Crystal N. Skelton shed light on the answer to this question by detailing illustrative data security enforcement actions over the past year and the security practices the agency has indicated should be implemented as well as those it has warned should be avoided. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

From holding events on ransomware, disclosure and marketing tactics, to entering into settlement agreements for the misuse of location data, to tackling APEC’s privacy framework for the first time, 2016 was a busy year for the FTC’s privacy and security enforcement arm. The Commission’s actions indicate that it is intending to keep pace with the latest tech and policy developments. But what is in store for 2017? At IAPP’s recent Practical Privacy Series conference, FTC Commissioner Maureen Ohlhausen discussed the agency’s priorities for the coming year. See also “Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part One of Two)” (Oct. 19, 2016); Part Two (Nov. 2, 2016).

Many companies are still wondering how to develop and implement a data security program that meets the FTC’s reasonableness requirement. “There is a hunger for a checklist,” Kelley Drye partner Alysa Hutnik told The Cybersecurity Law Report. Although not necessarily applicable across the board, the NIST Cybersecurity Framework, along with the FTC’s comments on it and its release of a new breach response guide, serve as useful resources. In this second part of our two-part series on the FTC’s data security expectations in the context of the NIST Cybersecurity Framework, in-house and outside counsel discuss how the Framework’s core functions align with the FTC’s requirements. They also provide steps companies of all types and sizes can take to incorporate these functions into their own security practices. Part one explored the implications of the FTC’s recent communication and detailed three initial steps companies should take to meet the FTC’s reasonableness standard. See also “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).

The NIST Cybersecurity Framework, while useful, is not a panacea, the FTC recently said, leaving many companies still wondering how to develop and implement a data security program that meets the regulator’s reasonableness requirement. With input from in-house and outside counsel, we examine the FTC’s data security expectations in the context of the NIST Cybersecurity Framework. Part one of this two-part series explores the implications of the FTC’s recent communication, how and when practitioners use the Framework and details three initial steps companies should take to meet the FTC’s reasonableness standard. Part two will cover the Framework’s core functions, how they align with the FTC’s requirements and steps companies can take to incorporate these functions into their own security practices. See also “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).

What constitutes privacy harm? What are reasonable data security practices? Companies and regulators struggle to pin down these pressing questions while technology keeps moving the baseline. In the first data security case litigated before the FTC, the agency provided some answers, finding that the data security practices of LabMD were unfair under the FTC Act. The FTC disagreed with the Administrative Law Judge, who held in November 2015 that the FTC had not shown that LabMD’s conduct caused, or is likely to cause, substantial consumer injury. “The bottom line significance for companies is that you have to have reasonable security at the outset,” Phyllis Marcus, Hunton & Williams counsel, said. “Everything else flows from that. It matters much less what happens to a document once it’s breached or leaked and what actual consumer harm may be down the road than what the security measures were at the outset.” For a discussion of ALJ’s November decision, see “FTC Loses Its First Data Security Case” (Nov. 25, 2015).

Understanding how data is collected and shared is a critical component of cybersecurity and data privacy compliance. A recent PLI briefing looked at big data through the lens of businesses that use it for marketing, considering the various means by which it is collected, shared and used, the panoply of relevant laws and the related enforcement and litigation landscape. In addition to providing insight on these aspects, the program’s featured speaker, Robert H. Newman, a partner at Winston & Strawn, offered practical guidance for addressing big data issues in contracts and for dealing with data brokers. See also “Keeping Up With Technology and Regulatory Changes in Online Advertising to Mitigate Risks” (Jan. 6, 2016).

The popularity of the new app Pokémon Go, an augmented reality game in which players use their mobile devices to catch Pokémon characters in real-life locations, continues to grow despite security and privacy concerns. Intelligence firm Sensor Tower estimates the game has been downloaded 75 million times. The game’s success brings to light a number of privacy issues generally tied to the collection, storage and sharing of user information by mobile apps, as well as users’ control of those actions and the app’s disclosure practices. Justine Gottshall, a partner at InfoLawGroup, and Shook, Hardy & Bacon attorney Eric Boos recently spoke with The Cybersecurity Law Report about these issues as well as the recently filed lawsuit alleging that the Pokémon Go terms of service and privacy policy are deceptive and unfair. See “Legal and Regulatory Expectations for Mobile Device Privacy and Security” Part One (Feb. 3, 2016); Part Two (Feb. 17, 2016).

The FTC is using its enforcement power to ensure meaningful choice when it comes to geo-location tracking that companies use to gain key marketing data, particularly when children are involved. The FTC brought an action against the global online advertising company InMobi alleging that the company had tracked millions of mobile app users, including children, even when they had opted out, and had misrepresented its practices to app developers and publishers. In the recent settlement, InMobi agreed to pay a significant fine and comply with a detailed long-term injunction. Donna Wilson, Manatt partner, told The Cybersecurity Law Report that companies should expect a “continued emphasis” from regulators on children’s privacy and geo-location practices, as well as a closer look at “how companies’ conduct in that area lines up with what they are telling either consumers and/or business partners and other third parties.” See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016” (Jan. 6, 2016).

Much like smartphones, today’s automobiles have become vast data endpoints, equipped with advanced electronics, sensors and computing power. In cars, though, these advancements not only facilitate communications but also enhance safety and the driving experience. As panelists at the recent IAPP Privacy Summit pointed out, a breach can implicate physical safety as well as data privacy. The panelists, including in-house experts at AT&T and General Motors, discussed the threat landscape for connected cars, the current regulatory framework governing cybersecurity of connected cars and how the automobile industry is developing best practices and automobile design to meet consumer expectations while minimizing cybersecurity risk. See also “Designing Privacy Policies for Products and Devices in the Internet of Things” (Apr. 27, 2016)

Both employees and employers continue to expand their use of social media, presenting a myriad of risks and spawning a spate of guidance and regulations. In a recent Practising Law Institute program, Christine Lyon, a partner at Morrison & Foerster, discussed recent developments related to social media in the workplace and detailed best practices for drafting a social media policy with the enforcement landscape in mind. See also “Avoiding Privacy Pitfalls While Using Social Media for Internal Investigations” (Dec. 9, 2015).

Increasingly, general counsel, privacy officers and even CEOs are taking on more and more data privacy and security compliance burdens because of the significant legal implications of not just breaches, but failure to comply with a range of privacy and cybersecurity regulations. That applies to international transfers of data as well. In a guest article, Aaron Charfoos, Jonathan Feld and Stephen Tupper, members of Dykema, discuss recent global developments and ten ways companies can ensure compliance with new regulations to increase data security and minimize the risk of enforcement actions. See also “Liability Lessons From Data Breach Enforcement Actions” (Nov. 11, 2015).

The expanding range of cyber threats companies face are forcing them to consider how best to anticipate, prevent and manage cyber attacks. In a recent PLI program, Brian E. Finch, a partner at Pillsbury Winthrop Shaw Pittman, discussed the changing landscape of cyber threats, sources of liability for a company and strategies to manage cybersecurity risk and related litigation, including a list of post-breach do’s and don’ts. See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).

As the FTC continues to strongly assert its role in the data protection and privacy space, companies are seeking guidance on best practices to meet the regulator’s expectations. At ALM’s recent cyberSecure conference, Andrea Arias, an attorney in the FTC’s Division of Privacy and Identity Protection, identified the Commission’s enforcement priorities and offered insight on how companies can comply with its rules and policies, noting recent instructive cases. A previous article featured insights from Arias’ fellow cyberSecure panelists, Sachin Kothari, director of online privacy and compliance at AT&T, Inc. and Chaim Levin, chief U.S. legal officer at Tradition Group, on implementing a “privacy-by-design” program for in-house corporate governance structures. See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016” (Jan. 6, 2016).

The receipt of a civil investigative demand from the FTC should not induce panic – a CID is “a vehicle for inquiry and we close far more [cases] than we bring,” Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, said during a panel at the recent IAPP Practical Privacy Series. Along with Mithal, the panel featured private outside counsel experts Stuart Ingis, a partner at Venable; and Hunton & Williams counsel Phyllis Marcus. They provided advice on how to handle a CID, from the first steps through requesting a closed case, including the view from behind the scenes at the FTC. In this second installment of our two-part series, we cover the FTC’s perspective on the CID process and how best to prepare for and conduct the meetings with the FTC staff and directors. Part one examined best practices for the first steps to take after receiving the CID, as well as strategies for setting up the client for a successful result. See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016“ (Jan. 6, 2016).

With consumers now using mobile devices in nearly every aspect of their personal and professional lives, companies are collecting, storing and sharing information from mobile use for a wide range of initiatives such as improving products and services and targeted advertising. During a recent webinar, WilmerHale partners D. Reed Freeman, Jr. and Heather Zachary examined the latest federal, state and self-regulatory privacy and data security expectations. Part one in this two-part series covers the panelists’ detailed discussion about how practitioners can navigate the regulatory environment for mobile advertising, including self-regulatory guidance and the increasingly important role of the FCC. In part two, Freeman and Zachary address: how to ensure compliance in the use of cross-device advertising and tracking; lessons from the Telephone Consumer Protection Act; and key aspects of the E.U. and Canada’s mobile privacy and data security regulations. See also “FTC Chair Addresses the Agency’s Data Privacy Concerns With Cross-Device Tracking” (Nov. 25, 2015).

Recognizing the benefits of “big data” and its widespread use, on January 6, 2016, the FTC issued a staff report on best practices for companies to minimize risks of that use, including the potential for discrimination against certain populations. The report, Big Data: A Tool For Inclusion or Exclusion? Understanding the Issues, addresses applicable laws and policy considerations and provides a series of questions to help companies become and remain compliant. See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity” (Jul. 15, 2015).

Receiving a civil investigation demand (CID) from the FTC can be nerve-wracking, but there are ways to make the process smoother. During the recent IAPP Practical Privacy Series 2015, a panel of government and private outside counsel experts provided advice on how to respond to written requests and steps companies can take to best position themselves in front of the agency, starting with the first telephone call. The panel featured Maneesha Mithal, FTC Associate Director, Division of Privacy and Identity Protection; Venable partner Stuart Ingis; and Hunton & Williams counsel Phyllis Marcus. Part one in this two-part series examines best practices for first steps after receiving the CID, including the first call with the client and the initial contact with the FTC, as well as strategies for setting up the client for a successful result. Part two will cover the FTC’s perspective on the CID process and how best to prepare for and conduct the meetings with the FTC staff and directors. See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016” (Jan. 6, 2016).

The FTC’s Bureau of Consumer Protection was hard at work in 2015, reaching settlements with a wide range of companies on a variety of privacy and data security issues. During the recent IAPP Practical Privacy Series 2015, Jessica Rich, Director of the Bureau of Consumer Protection and an architect of the FTC’s privacy program, reflected on the agency’s major enforcement actions, reports and relationships in 2015 and what businesses should expect in the coming year. See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity” (Jul. 15, 2015).

In the FTC’s first loss in a data breach security case, and the first such case to reach a full adjudication, an administrative law judge dismissed the agency’s complaint against LabMD, Inc. regarding two alleged cybersecurity incidents at LabMD. The ALJ held, in a lengthy Initial Decision, that the FTC did not meet its burden on the first prong of the three-part test in Section 5(n) of the FTC Act – that LabMD’s conduct caused, or is likely to cause, substantial consumer injury. Phyllis Marcus, counsel at Hunton & Williams, said the ALJ was “holding the FTC Complaint Counsel, rightfully so, to the fire. Bald allegations of substantial injury or likelihood of substantial injury” to support an unfairness claim will no longer be sufficient if the case stands. See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity,” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015).

In addition to the direct consequences of a data security incident, many companies that suffer data breaches must face lawsuits. In a recent webinar, Mintz Levin members Meredith Leary, Kevin McGinty and Mark Robinson discussed the various types of data security litigation and gave advice on how companies can best prepare for the likelihood of a lawsuit after a data breach. This article, the first in a two-part series, features their insight on how companies can put themselves in the best position now to defend their actions later. The panelists also identified threshold questions that companies can ask themselves during an internal investigation following a data breach. In the second article, they further explore best practices for internal investigations and common defenses in data breach class actions. See also “Liability Lessons from Data Breach Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 16 (Nov. 11, 2015).

Consumers’ online presence is constantly in motion as they jump from device to device throughout the day. Companies that want to track consumer activity are using new methods that follow consumers, and the platforms and applications they use, on these various devices. The FTC recently held a workshop to examine and address privacy issues raised by cross-device tracking. FTC Chairwoman Edith Ramirez commenced the workshop by explaining the Commission’s goal to allow technological innovation – with all the consumer benefits it offers – while safeguarding consumer privacy. We highlight the key points of her speech in which she emphasized the importance of effective transparency, notice, choice and security. See also “In the Wyndham Case, the Third Circuit Gives the FTC a Green Light to Regulate Cybersecurity Practices,” The Cybersecurity Law Report, Vol. 1, No. 11 (Aug. 26, 2015).

Inadequate cybersecurity measures can expose companies not only to data breach incidents, but to liability from multiple fronts, including state attorneys general, the FTC and civil litigants. In a recent panel at the Practising Law Institute, Michael Vatis, a Steptoe & Johnson partner, and KamberLaw partner David Stampley discussed the dynamic enforcement and judicial climate in this space, distilling actionable takeaways from recent settlements with state attorneys general, FTC actions including Wyndham, and evolving consumer litigation jurisprudence. The enforcement actions and litigations are instructive for companies seeking to fortify their internal information security and data privacy efforts and guard against the risk of liability in the event of a breach. See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

Ensuring a target company has strong cybersecurity and data privacy programs is quickly becoming a pillar of merger and acquisition due diligence. In this two-part article series, we explain how these issues can be handled before, during and after the deal to ensure that a company’s data remains safe, compliant and in line with any privacy policies or other agreements. Part one focuses on cybersecurity and data privacy due diligence and proactive measures an acquiring company, as well as a target, can take to facilitate a smooth transaction, with examples from companies such as Disney and Instagram. Part two will examine how to handle cybersecurity problems when they are discovered; when to walk away; and how to manage risk, remediation and integration when the deal does move forward. See also “Cybersecurity and Information Governance Considerations in Mergers and Acquisitions,” The Cybersecurity Law Report, Vol. 1, No. 7 (Jul. 1, 2015).

The Wyndham decision makes clear that there is a “‘top cop’ regulatory agency looking over privacy and security practices of private business: the Federal Trade Commission,” Cynthia Larose, a member of Mintz Levin, told The Cybersecurity Law Report. On August 24, 2015, the Third Circuit denied Wyndham’s motion to dismiss an FTC complaint against it and held that the FTC can pursue Wyndham for allegedly weak data security practices that led to three breaches. “The FTC is here to stay in the data privacy and security space,” Michael Gottlieb, a partner at Boies, Schiller & Flexner, said. We examine the decision and its implications. See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity,” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015).

Like many industries, the health care sector is relying more heavily on new technology to provide digital medical records that are often stored on cloud-based servers and transmitted electronically. With the technological advances come privacy and security concerns that the FTC is watching closely. Cora Han, a senior attorney in the Division of Privacy and Identity Protection at the FTC, recently spoke at a meeting of the Health Care Cloud Coalition, a not-for-profit representing cloud computing, telecommunication, digital health, and healthcare companies in the health care sector. Han addressed the FTC’s expectations and enforcement efforts for privacy and security related to cloud-based mobile technology companies in the health care industry. See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

Mobile devices, and their constantly changing technology, present unique cybersecurity and privacy issues. In the second installment of our coverage of a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Aaron P. Simpson, a partner at Hunton & Williams and H. Leigh Feldman, global chief privacy officer at Citi, discuss these challenges and contextualize relevant policy and regulatory landscapes in the U.S. and Europe, including enforcement activity. The first article in the series explained the specific challenges related to mobile and wearable technology and presented best practices for stakeholders as consumers demand control of their information. See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

In its new guidance, “Start with Security,” the Federal Trade Commission is “stating its case why it should be recognized as the preeminent authority in this area,” Stephen Newman, a partner at Stroock, told The Cybersecurity Law Report. The FTC makes clear in the guidance that it expects companies to put strong cybersecurity practices in place and will hold the companies responsible for lax security measures if a breach does occur. The guidance also provides valuable compliance advice – it articulates the FTC’s thoughts on how to reduce risk with “fundamentals of sound security” based on “the lessons learned from the more than 50 law enforcement actions the FTC has announced so far.” We discuss the ten steps the FTC has put forward to enhance cyber compliance, with input from experts. See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

Faced with the threat of steep civil penalties that can arise from active FTC enforcement, operators of commercial websites must exercise caution when collecting personal information from children under the age of 13. The long reach of the Children’s Online Privacy Protection Act (COPPA) applies not only to first-party website operators but also extends to third parties that collect personal information on behalf of first-party operators in certain circumstances. In a recent presentation, attorneys Julia Siripurapu and Ari Moskowitz of Mintz Levin discussed key provisions and implementation of COPPA, including compliance, enforcement and applicability to third parties. They also provided advice on best practices for websites and online services regarding the collection and use of children’s personal information, and for educational institutions as parental agents.